Forum Moderators: open
I'm developing a website using AJAX/PHP. I use AJAX to load some HTML content doing requests to a PHP file. I would like to know if there is an easy way to prevent that someone loads directly that PHP file and get that HTML content since I want that all the content is loaded inside the main site/design.
Thanks in advance for any tip you can give me.
You could set a session variable in the main file, then check for it in each of the scripts that services the AJAX requests.
If they've linked directly this should be blank.
If not it should be the URL of the page it was called from.
Better way, in your PHP script check the site referrer in the HTTP header
Referrers are easy to fiddle with, session variables a bit harder
Also that applies to how easy it is to implement. With a session cookie you have to store that cookie on the server somewhere, then check it every time.
The referrer thing is a 1 liner in the PHP script, and will stop people linking directly to images etc.....
It really depends on how secure you need it to be, but those are the only 2 options really.
Let us know how you get on.
My first though was to do it by checking HTTP_REFERER, but what worries me is that there is people using Norton and other applications that block this info by default, so the site would not work for them. I suppose is a small percentage of people, though.
Sessions seems a good option too, but if I use sessions one could load the main file (which creates the session) and after it's created he could load the other file directly, couldn't he?
Thanks again for your help!
What sort of behaviour are you trying to prevent? There are utilities to block referrers and also utilities to set the referrer to whatever the end user wants, so it's neither reliable nor secure.
Basically any data which appears in a browser can be gotten to, and all you're doing is changing the level of botheration for usurpers to get it. You can quickly reach a point where you raise the level of botheration for your intended audience to get it as well. If you're just trying to stop Joe.Blogger from unintentionally including your uncredited work on his page, then referrer will mostly do what you want except for, as you mentioned, the legitimate people who just don't want referrer filled in from their browsers. If someone(s) really want your uncredited content on their own pages, the next level up would be session control. After that comes putting it in a restricted access sort of situation wherein viewers have to put in a captcha code. Up from that would be user name & password, and beyond that, don't put it on the internet.
after it's created he could load the other file directly, couldn't he?
Like I said, if it's on the internet, it can be got. How many steps you're willing to take or how complex you make its protection depends on the value of the data and how far usurpers are willing to go to get it.
My site is about sports statistics and it's a hard work to recopilate and enter all the info in the database so that's why I want to protect this work a little bit. I know there is no perfect protection but if I can make it a bit hard for anyone to copy the data then it will be enough.
Captcha and user registration are in other level but I don't want to take it so far since I want to keep it simple for the user, so I will go with referer and/or sessions.
Thanks a lot for your help!
If a browser can read it, so can a hacking script.
I can easily look at your page once, figure out where you have the sessionID in your page, write a script which grabs you page, gets the sessionID then uses the javascript url and parameters to parse your database.
I can put anything in the headers including a referrer...
not even cookies can stop this because my script can accept and send cookies too...
cookies make it easy to know what to get and where to look...
use a script to generate the page and put random hidden junk in the document and change the location, structure, and name of your sessionID in the document for each request. randomly put erronious data in your sessionID which is ignored by the server script too. this won't stop everyone though
put several variables into the page you don't need. such as 3 random hidden variable strings. randomly send 1 back. put into your sessionID which 1 you use, then check for the other 2 on the server side, if you get either of the other 2, EXIT ... make sure you change which 1 every session
DONT ever call it a session, ID, login, access, username, password, key, salt, or anything resembling identification or security feature.
One of my favorite things to put in form is
<input type="hidden" name="password" value="some_random_string">
which is completly ignored...
the only safe way is to have them login to a secure interface.
if your data is valuable enough to safeguard, it is valuable enough for me, the user, to login to get it.
If you don't want them to login to get your info, then changing your page like I mentioned above will discourage most hackers, but not all.
You may loose a couple users cause they don't want to login, but its better than loosing it all.
Many hackers are spoiled loosers with a golden spoon in their mouth, or have something to proove and nothing better to do than f**k something up. The harder you make it for them the more they will get discouraged and go find something easy. Its just like a parking lot full of cars. The car thief will take the car next to the one with the alarm.
I heard someone say one time that your security level should meet or exceed you need. They said their is no point in waisting time making things too secure for trivial stuff. Well I say thats a bunch of BS!
If everything was hard to get into, most of these 'hack-the-planet' loosers would go away...
------------------------------
to all the real programmers, I use the term 'hackers' to mean illegal stuff, but you knew that.
